[19209] in bugtraq
Re: vixie cron possible local root compromise
daemon@ATHENA.MIT.EDU (gabriel rosenkoetter)
Tue Feb 13 23:27:05 2001
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Message-Id: <20010213155632.G3091@eclipsed.net>
Date: Tue, 13 Feb 2001 15:56:32 -0500
Reply-To: gabriel rosenkoetter <gr@ECLIPSED.NET>
From: gabriel rosenkoetter <gr@ECLIPSED.NET>
X-To: Alan DeKok <aland@giles.striker.ottawa.on.ca>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <200102132054.PAA09650@giles.striker.ottawa.on.ca>; from
aland@giles.striker.ottawa.on.ca on Tue, Feb 13,
2001 at 03:54:00PM -0500
On Tue, Feb 13, 2001 at 03:54:00PM -0500, Alan DeKok wrote:
> I find this attitude amazing. You don't understand why other people
> would want to have usernames longer than 8 characters, so you're
> willing to blame *their* systems for security problems when insecure
> applications are executed on those systems.
Perhaps mine was not the most thought-out reply, but people who use
usernames longer than 8 characters should be aware that those
usernames are NOT unique under POSIX, and useradd programs that
allow them are at least *also* broken.
(No question that cron should do better bounds checking; my point
was that that bounds checking should be added out of paranoia, not
out of necessity.)
~ g r @ eclipsed.net
